Why can we not stay logged in?

6tr6tr · September 13, 2012, 12:44am

This is the only forum I have used in the past 10 years that forces me to log in every day. Why can I not stay logged in? Why is this not an option?

hendersj · September 13, 2012, 12:50am

On Wed, 12 Sep 2012 22:46:01 +0000, 6tr6tr wrote:

> This is the only forum I have used in the past 10 years that forces me
> to log in every day. Why can I not stay logged in? Why is this not an
> option?

We’ve had this question before and have answered it. Generally comes
down to the fact that the authentication is tied to login information
that’s used for more sensitive information like licenses for SLE.

However we’ve recently had the timeout upped to 8 hours from the previous
4 (which was an increase from what I remember the original as 2 hours
was).

We are not likely to move to a “never expire” scenario, as that’s not
generally considered a secure option.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

deano_ferrari · September 13, 2012, 1:21am

I note the FAQ

Why do the forums sometimes act like I’m not logged in when I’m logged in? The forums use SUSE Login which has a connection timeout. The forums have their own timeout. If you are idle for too long (usually over 3 hours) or you come to the forums from another location on the openSUSE site, the forum and SUSE timeout may not match up causing it to look like you are logged in, but not allowing you to post. If that happens to you, clear your browser session and start over again at the forum home page, login, and you should be on your way.

We should probably update it to reflect the change.

hendersj · September 13, 2012, 1:27am

On Wed, 12 Sep 2012 23:26:01 +0000, deano ferrari wrote:

> We should probably update it to reflect the change.

I was looking at that as well - yeah, that does need to be updated.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

nrickert · September 13, 2012, 1:52am

It seems more like three times a day. Once a day would be so much nicer.

hendersj · September 13, 2012, 3:10am

On Wed, 12 Sep 2012 23:56:01 +0000, nrickert wrote:

> 6tr6tr;2486594 Wrote:
>> This is the only forum I have used in the past 10 years that forces me
>> to log in every day.
>
> It seems more like three times a day. Once a day would be so much
> nicer.

The timeout did get changed, but something worth noting is that the
cookie is a session cookie - so if you close your browser, you will get
logged out.

But if you leave the browser open, you should stay logged in for 8 hours.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

zerum · September 13, 2012, 11:56am

…what is extremely annoying. :\

hendersj · September 13, 2012, 5:26pm

On Thu, 13 Sep 2012 10:06:01 +0000, zerum wrote:

> hendersj;2486625 Wrote:
>> The timeout did get changed, but something worth noting is that the
>> cookie is a session cookie - so if you close your browser, you will get
>> logged out.
> …what is extremely annoying. :\

Not quite as annoying as the issue it’s intended to resolve, which is
being stuck in a limbo somewhere between logged in and not logged in.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

6tr6tr · September 13, 2012, 9:27pm

I know this is a huge change, but it seems to me to be a necessary one: please decouple the sensitive info login from the forum login. The two should never have been combined. For example, I would never use my bank account login as the same login for a help forum on my bank’s website. It’s a big risk (due to social engineering or even accidental personal info leakage).

hendersj · September 13, 2012, 10:22pm

On Thu, 13 Sep 2012 19:36:01 +0000, 6tr6tr wrote:

> I know this is a huge change, but it seems to me to be a necessary one:
> please decouple the sensitive info login from the forum login. The two
> should never have been combined. For example, I would never use my bank
> account login as the same login for a help forum on my bank’s website.
> It’s a big risk (due to social engineering or even accidental personal
> info leakage).

We really can’t make that kind of a change without disrupting 70,000
registered users - and that’s not likely to happen.

In addition, if we did that on the forums, then the login credentials
that are used at susestudio.com, the openSUSE wiki, openSUSE Connect, and
all the other sites would not match the credentials here. Integrating
all of these systems provides us with a single credential across all of
the openSUSE sites as well as suse.com, novell.com, and netiq.com.

The login system holds the credentials, and without the credentials
nobody could log in. The password cannot be exported (which actually
makes these forums more secure than other forums where the password is
stored in the database with all the messages).

It’s too large a change for the minor inconvenience of having to login
when you visit.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

robin_listas · September 14, 2012, 12:33am

On 2012-09-13 22:22, Jim Henderson wrote:
> On Thu, 13 Sep 2012 19:36:01 +0000, 6tr6tr wrote:
>
>> I know this is a huge change, but it seems to me to be a necessary one:
>> please decouple the sensitive info login from the forum login. The two
>> should never have been combined. For example, I would never use my bank
>> account login as the same login for a help forum on my bank’s website.
>> It’s a big risk (due to social engineering or even accidental personal
>> info leakage).
>
> We really can’t make that kind of a change without disrupting 70,000
> registered users - and that’s not likely to happen.

But he is right.

People do not consider login to a forum as a high security operation, but the login is the same
as for the rest of novel services. People will not keep the login data secure. This is a high risk.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

hendersj · September 14, 2012, 2:18am

On Thu, 13 Sep 2012 22:33:06 +0000, Carlos E. R. wrote:

> People do not consider login to a forum as a high security operation,
> but the login is the same as for the rest of novel services. People will
> not keep the login data secure. This is a high risk.

Which is why there’s a session cookie and a timeout.

If he really wants to avoid login, NNTP is an option, or the mailing
lists are an option.

We’ve increased the timeout to 8 hours which should be more than
sufficient.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

hendersj · September 14, 2012, 2:32am

On Fri, 14 Sep 2012 00:18:06 +0000, Jim Henderson wrote:

> On Thu, 13 Sep 2012 22:33:06 +0000, Carlos E. R. wrote:
>
>> People do not consider login to a forum as a high security operation,
>> but the login is the same as for the rest of novel services. People
>> will not keep the login data secure. This is a high risk.
>
> Which is why there’s a session cookie and a timeout.
>
> If he really wants to avoid login, NNTP is an option, or the mailing
> lists are an option.
>
> We’ve increased the timeout to 8 hours which should be more than
> sufficient.

In addition - any login information should properly be treated as
confidential.

Would anyone like to have someone steal their credentials and pose as
them, ruining their reputation? Would anyone want to be banned because
they had let someone else use their account to post spam or offensive
material?

From the openSUSE legal documents (which the T&Cs reference):

— snip —

You are responsible for maintaining the confidentiality of your Service
password and account, and are responsible for all activities that occur
thereunder.

— snip —

It’s poor security practice to disclose your password to /anyone/,
regardless of the service the credentials are used for. Rather than
promote poor security practices, let’s promote good security
practices. Your passwords are for your use. Don’t give them out. Don’t
leave your computer unlocked while connected to an online service of any
kind.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

robin_listas · September 14, 2012, 3:28am

On 2012-09-14 02:32, Jim Henderson wrote:

> In addition - any login information should properly be treated as
> confidential.

Why? It is only a forum, nothing serious.

> Would anyone like to have someone steal their credentials and pose as
> them, ruining their reputation? Would anyone want to be banned because
> they had let someone else use their account to post spam or offensive
> material?

It doesn’t matter, it is only a forum. You can create a new identity anytime.

> From the openSUSE legal documents (which the T&Cs reference):
>
> — snip —
>
> You are responsible for maintaining the confidentiality of your Service
> password and account, and are responsible for all activities that occur
> thereunder.
>
> — snip —

Who cares?

(notice that I’m playing the devil advocate here…)

What I’m trying to say is that it is wrong to have the same credentials used for serious uses
and to a forum.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

hendersj · September 14, 2012, 6:27am

On Fri, 14 Sep 2012 01:28:09 +0000, Carlos E. R. wrote:

> (notice that I’m playing the devil advocate here…)

I noticed, and I don’t really have time to play devil’s advocate.

I’ve explained why it is the way it is and why it’s not likely to
change. I really don’t have an interest in further debate.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

djh-novell · September 14, 2012, 12:07pm

Jim Henderson wrote:
> On Thu, 13 Sep 2012 22:33:06 +0000, Carlos E. R. wrote:
>
>> People do not consider login to a forum as a high security operation,
>> but the login is the same as for the rest of novel services. People will
>> not keep the login data secure. This is a high risk.
>
> Which is why there’s a session cookie and a timeout.
>
> If he really wants to avoid login, NNTP is an option, or the mailing
> lists are an option.

Exactly. The current set up is enough to make me use NNTP and the
mailing lists but not the forum’s web interface. Neither do I contribute
to the wiki or anything else that requires me to use the login.

In other words, your current policy is one factor driving me away.
Fortunately, there are currently other factors that keep me here.

IMHO, the security model is broken. There may be pragmatic reasons for
not mending it at the moment, but it is better to say so than to
continue to try to pretend that it is not broken.

How about a vote of the 70,000 users?

robin_listas · September 14, 2012, 1:58pm

On 2012-09-14 06:27, Jim Henderson wrote:
> On Fri, 14 Sep 2012 01:28:09 +0000, Carlos E. R. wrote:
>
>> (notice that I’m playing the devil advocate here…)
>
> I noticed, and I don’t really have time to play devil’s advocate.
>
> I’ve explained why it is the way it is and why it’s not likely to
> change. I really don’t have an interest in further debate.

Ok, but do not either defend that it is a sane system.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

hendersj · September 14, 2012, 5:52pm

On Fri, 14 Sep 2012 10:07:02 +0000, Dave Howorth wrote:

> There may be pragmatic reasons for not mending it at the moment, but it
> is better to say so than to continue to try to pretend that it is not
> broken.

I have said so.

But honestly, I really fail to understand what’s so onerous about having
to log in every time? (There /have/ been issues with login that we’ve
been addressing, and will continue to address - but not allowing logins
to last forever isn’t an issue from where I stand - it’s good security
practice, regardless of the sensitivity of the data)

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

hendersj · September 14, 2012, 5:54pm

On Fri, 14 Sep 2012 11:58:07 +0000, Carlos E. R. wrote:

> On 2012-09-14 06:27, Jim Henderson wrote:
>> On Fri, 14 Sep 2012 01:28:09 +0000, Carlos E. R. wrote:
>>
>>> (notice that I’m playing the devil advocate here…)
>>
>> I noticed, and I don’t really have time to play devil’s advocate.
>>
>> I’ve explained why it is the way it is and why it’s not likely to
>> change. I really don’t have an interest in further debate.
>
> Ok, but do not either defend that it is a sane system.

Carlos, you’re bikeshedding.

As I explained to David, there have been (and in some instances, continue
to be) issues with the cookies not working as expected. Those issues are
being addressed.

But the intention is that login be required, and I completely fail to
understand how it is that logging in after 8 hours of inactivity or when
starting a new browser is onerous.

Perhaps we should just enable anonymous users to post? (No, I’m not /
really/ suggesting that, either).

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

nrickert · September 14, 2012, 6:36pm

That misstates the problem.

I have to login after 8 hours, even if there was a lot of activity, with the most recent activity perhaps only 30 minutes earlier.

For me, good security practices dictate:

login to Bugzilla, report a bug, logout.

login to the forum. Stay logged in all day, since I will be visiting several times.

Those practices are in conflict with the present setup.

I would like to treat the bugzilla as a high security site, where I only stay logged in for the time needed. For the forum to work, I need to treat the forum as a site where security is less critical. Because those logins are currently tied together, I either have follow insecure practices for the bugzilla (stay logged in for too long), or stop using the forum. And no, I don’t want to go to NNTP for the forum.